Ok, I give, NFS/Kerberos has left me a broken, broken man.
I've got an Ubuntu 10.04 server, running openldap, and kdc-ldap.
Everything is working fine, kinit, workstation logons, etc... other than I'm trying to get NFS to use Kerberos.
Here's the gist of the error I'm getting, this is from syslog when nfs-kernel is trying to start, but it pretty much says the same in other logs.
Quote:
Nov 6 19:11:47 LNXCORE2 nfsd[1234]: nfssvc: Setting version failed: errno 16 (Device or resource busy)
Nov 6 19:11:47 LNXCORE2 rpc.svcgssd[1239]: rpcsec_gss: debug level is 3
Nov 6 19:11:47 LNXCORE2 rpc.svcgssd[1240]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - Key table file '/etc/krb5/krb5.keytab' not found
Nov 6 19:11:47 LNXCORE2 rpc.svcgssd[1240]: Unable to obtain credentials for 'nfs'
Nov 6 19:11:47 LNXCORE2 rpc.svcgssd[1240]: unable to obtain root (machine) credentials
Nov 6 19:11:47 LNXCORE2 rpc.svcgssd[1240]: do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?
|
First thought, the keytab, here it is:
Quote:
1 3 nfs/lnxcore2.example.com@EXAMPLE.COM
2 3 nfs/lnxcore2.example.com@EXAMPLE.COM
3 3 nfs/lnxcore2.example.com@EXAMPLE.COM
4 3 nfs/lnxcore2.example.com@EXAMPLE.COM
|
Those are the default encryption types BTW, the last one listed is old des-cbc-crc. Again, those are the defaults.
The /etc/exports: (have tried krb5i, and p as well)
Quote:
/export gss/krb5(rw,sync,fsid=0,no_subtree_check,crossmnt)
/export/sharednfs1 gss/krb5(rw,sync,no_subtree_check)
|
The important parts from /etc/default/nfs-kernel-server:
Quote:
RPCMOUNTDOPTS=--manage-gids
RPCMOUNTDOPTS="-p 31005"
NEED_SVCGSSD=yes
|
I'm running UFW, but all the correct ports are open and unrestricted.
I've been buried in the internet for days looks for a solution.
I've tried allowing the weak encryption types, and also totally disallowing them. My guess at the moment is that is probably the issue. Most things say old des is required, but I've also seen a few references saying it may not be.
If nothing else, if someone knows a way to uber debug SVCGSS, or even strace it in its appropriate security context, pls let me know? I can see in the docs what it -should- be looking for the keytab, but I swear it's there already.